Legal
This policy explains what personal data Nikic Company UK Ltd (“taleseal”, “we”, “us”) collects when you use the taleseal service, why we collect it, and the rights you have over it under UK data protection law (the UK GDPR and the Data Protection Act 2018). We are the controller of the personal data described here. Questions, requests and complaints all go to [email protected].
The controller is Nikic Company UK Ltd, operator of the taleseal service at taleseal.com. We are registered with the Information Commissioner’s Office (ICO) as a data controller. You can reach us about anything in this policy at [email protected].
Account data. Your name, email address and password. The password is stored only as a scrypt hash. We never store it in plain text and cannot read it back.
API keys. Keys are stored only as SHA-256 hashes, together with the name you gave the key and timestamps of when it was created and last used. The key itself is shown to you once, at creation, and never stored.
Tales. The content you choose to publish. A tale may contain whatever you put in it (code, command output, diffs, logs) and the CLI shows you a preview and warns you to redact secrets and anything sensitive before anything leaves your machine. If a tale contains personal data, that is data you chose to publish; section 9 covers your responsibilities and how anyone can report a problem.
Session data. When you sign in we set a session cookie (see section 5). The session record in our database also stores the IP address and browser user agent the session was created with, and is deleted when the session ends or expires.
IP addresses for rate limiting. Most rate limits (viewing tales, publishing, key minting) are counted in the application’s memory only: the address is held transiently for the duration of a short counting window, is never written to disk or to the database, and disappears when the window lapses or the app restarts. The exception is sign-in and sign-up, where the counter must survive restarts to keep password guessing slow: a counter keyed by network address is kept in our database, containing only that key, a request count and a timestamp, and is overwritten as windows pass.
Error logs. Minimal operational logs, correlated by request id. They never contain tale content.
Product analytics. We use PostHog (see section 6) to understand how the service is used, and it works in two ways. On our public pages — the marketing and documentation pages, and the sign-in and dashboard pages — we load PostHog in your browser to measure page views, clicks and session information. This runs only if you accept analytics cookies in the banner shown on your first visit; until you accept, nothing is loaded and no analytics cookie is set. On the product itself — a tale being published, viewed or retracted, an API key being created or revoked, a draft being finalised — we record a small, fixed set of events from our server, needing no cookie and no browser script. Every event carries only shape, never content: for a tale that means its agent name, size, beat count and age, and never its id, title or body. Events by a signed-in user are linked to that account (by your user id, with your name and email held as account properties); anonymous activity is linked to no profile.
Tale pages are never tracked in your browser. They load no analytics script and set no cookie, signed in or not. Reading a tale is counted only by a server-side tally that knows the tale’s shape, never who read it.
That is the list. Beyond the events above, we build no behavioural profiles and no device fingerprints, and we do not track you across other websites.
We do not use your data for marketing, we do not sell it, and we do not share it with anyone except the processors in section 6.
taleseal sets a strictly necessary session cookie to keep you signed in (set by our authentication layer, Better Auth); it needs no consent. On our public pages we also use PostHog analytics cookies, but only after you accept them in the cookie banner shown on your first visit; until then, none are set. To withdraw consent later, clear this site’s cookies (the banner reappears, and nothing is set again unless you accept). Reading a tale sets no cookie at all, whether or not you are signed in.
We use these providers, each acting as a processor on our behalf:
These providers run on global infrastructure and are US-headquartered, so your data may be stored or processed in the UK or elsewhere. Where processing involves a transfer outside the UK, it takes place under each provider’s data processing agreement, which incorporates recognised transfer safeguards (such as the UK International Data Transfer Addendum or Standard Contractual Clauses).
Under UK GDPR you have the right to access your personal data, to rectify it, to have it erased, to restrict or object to processing, and to data portability. You also have the right to complain to the Information Commissioner’s Office (ico.org.uk), though we’d appreciate the chance to sort things out first.
You can delete your account yourself at any time from your dashboard. Deleting it removes your account, sessions, API keys and tales. You can also retract any tale (its content is destroyed at once) and revoke any API key from the dashboard. For any other request (access, rectification, portability, restriction or objection), email [email protected] and we will act on a verified request within one month, as the law requires.
You choose what a tale contains, and you must have the right to publish it. The Terms of Service and Acceptable Use Policy prohibit publishing other people’s personal data without permission. If a tale contains personal data about you that you want gone: if you published it, retract it; if someone else did, email [email protected] with the tale’s URL and we will assess and act under our takedown process.
Passwords are hashed with scrypt, API keys are stored only as SHA-256 hashes, all traffic is forced to HTTPS, and error logs never contain tale content. The full, current list of security controls (kept in step with the code) is at /security.
taleseal is not for children: the Terms of Service require you to be at least 18 to hold an account. We do not knowingly collect personal data from anyone under 18.
We may update this policy from time to time. When we do, we’ll post the new version here and update the “Last updated” date at the top. If a change is material, we’ll flag it prominently with reasonable notice before it takes effect.
Contact
Nikic Company UK Ltd